E-mail phishing scam extends beyond Hotmail to other popular services

This site may earn affiliate commissions from the links on this page. Terms of use.

Yesterday we reported about how thousands of Hotmail accounts had been compromised. In total it was thought just over 10,000 accounts had been gathered as part of a phishing scam. But it turns out the scam has been much more successful than that and extends beyond Hotmail to other e-mail services as well.

The initial list of 10,000 accounts has now expanded to over 30,000 and was found to include Hotmail, Gmail, AOL, Yahoo!, Comcast, and Earthlink e-mail account details. Google said only 500 of its accounts have been affected and that action has already been taken to protect those users:

We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts. As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them.

Other providers including Microsoft and Yahoo! are asking users to be more careful when accessing web pages and attachments. Google has also posted to its blog giving tips on choosing smart passwords.

There is little that can be done from the service’s point of view as these phishing scams manage to get users to divulge their security details. There is no hack occurring on a specific service as the details are already known to gain access to an account.

I think the main problem with phishing attacks is that unless the user knows what to look for then they can easily mistake a scam page for one that is legitimate. New users will not know to look for the security padlock, color-coded URL bar, or to check the URL itself to ensure it points to the right address. If a page looks like the real Hotmail login, and then asks for additional security details as part of a check, then many people would enter those details as they have no suspicion the site is fake and just want to see their e-mail.

The usual measures apply to help protect you from such scams. Use a different password for every login you have, change your passwords regularly, use strong passwords, and ensure the pages you visit are the legitimate ones. An easy way to do that is bookmark the legitimate pages and only ever visit them through those links you created.

Speak Your Mind

Joseph A’Deo

At VeriSign we’re hoping that this is a wake up call for both web-based email providers and their users, since it seems as though protecting against further compromises such as these will require work on both sides of the equation. Email services need to provide more robust forms of protection — like extended validation ssl, which is something you note above — and two factor authentication, which could REALLY help here (if all those email users had a 2FA token it wouldn’t matter if their passwords were hacked). And, of course, users need to become a bit better versed in these matters and take some of the measures you note. Using the internet is an indispensable part of life now, but with it comes responsibilities.